The white paper, "A Risk Based Approach to DDoS Protection for Credit Unions and Credit Union Service Organizations," is written by Ray Zadjmool, president and principal consultant of Tevora, a Lake Forest, Calif., information assurance consulting firm with a focus on compliance, risk management and solutions integration.

DDoS involves using an army of hijacked computers to overwhelm a site with so many requests for attention that it's unable to respond to legitimate requests and thus becomes unavailable. It has become a popular method to make a political or ideological point in which the target is some kind of symbol.

The paper makes four recommendations for combating DDoS:

DDoS Risk Assessments. A DDoS risk assessment should follow established methodologies for identification, impact analysis and treatment plan, the paper said. Credit unions should make a concerted effort to understand the effects of a disruption of services, the expected time to recover and the costs to remediate. Risk-reduction options also should be presented to offer a balanced approach that can be periodically evaluated for feasibility and cost effectiveness.

DDoS Incident Response Plan. As with any disaster recovery or incident, a plan for coordinating the credit union's response should be documented before an attack. A good DDoS Incident Response Plan must take in to account the tools and personnel at the credit union's disposal that will be needed to help in a DDoS attack.

Third-Party Due Diligence. Credit unions should look at this as an expansion of existing third-party and vendor management activities to include a good understanding of criticality, risk and readiness. One place to start is to classify third parties that may be susceptible to a DDoS. Consider critical infrastructure, but also Web hosting and member facing services.